Allele Security Alert
ASA-2019-00325
Identifier(s)
ASA-2019-00325, CVE-2019-12387
Title
CRLF injections in HTTP client APIs
Vendor(s)
Twisted Matrix Laboratories
Product(s)
Twisted
Affected version(s)
Twisted versions before 19.2.1
Fixed version(s)
Twisted 19.2.1
Proof of concept
Unknown
Description
Twisted’s HTTP client APIs were vulnerable to maliciously constructed HTTP methods, hosts, and/or paths, URI components such as paths and query parameters.
Technical details
Unknown
Credits
Alex Brasetvik
Reference(s)
Twisted 19.2.1 Released
https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html
[Twisted-Python] [SECURITY] Twisted 19.2.1 Release Announcement
https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html
Prevent CRLF injections described in CVE-2019-12387
https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
CVE-2019-12387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12387
CVE-2019-12387
https://nvd.nist.gov/vuln/detail/CVE-2019-12387
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 10, 2019